Security

If a client connects using MQTT v5, will a Will message that has MQTT v5
properties attached, and the very first Will property is one of content-type,
correlation-data, payload-format-indicator, or response-topic, then at
the point the client disconnects, the broker will attempt to read from freed
memory, resulting in a possible crash.

Broker

Fix memory access after free, leading to possible crash, when v5 client with
Will message disconnects, where the Will message has as its first property
one of content-type, correlation-data, payload-format-indicator, or
response-topic. Closes #1244.

This is a feature release and represents a substantial amount of change in the
project. Since version 1.5, the overall code line count for the broker, library
and clients has increased by 37% to 28k. Testing has been an important focus
for this release. The number of tests has increased from 102 to 412. The test
coverage, whilst still needing further improvement, has increased from 56% to
61%.

A summary of the notable features is given below.

MQTT v5 support

The big addition for this release is support for MQTT v5. This covers the
broker, client library and client, and gives full support for the new
specification, although not all features are accessible as they will be.

You can quickly test out a v5 client by using -V 5 and adding properties with
the -D option, for example:

The authentication plugin interface has been extended to allow use of the v5
extended authentication feature.

Performance improvements

A number of performance improvements have been implemented in the broker,
including the message routing logic, topic matching, and persistence file
reading/writing.

More improvements are planned for the next release.

New client - mosquitto_rr

mosquitto_rr is the "request-response" client, intended for the situation
where you want to publish a request message and await a response. It works best
with the MQTT v5 request-response features, but can be used with v3.1.1 servers
if the client it is talking to knows how to respond. This tool is almost
certainly not going to see as much use as mosquitto_sub or mosquitto_pub,
but is a useful utility to have available.

Contributed features

Some notable features have been contributed by the community.

On the TLS front, support for ALPN allows bridges and clients to connect to
servers that have multiple protocols on a single port. The new OCSP stapling
support allows the status of TLS certificates to be validated. Finally, TLS
Engine support has been added.

Away from TLS, support for Automotive DLT logging has been added, disabled by
default.

Deprecations

The C++ wrapper library, libmosquittopp is now deprecated and will be removed
in version 2.0. It remains largely unchanged since v1.5.

The C library, libmosquitto, is having its interface changed for version 2.0,
so any current function should be considered at risk. The rationale for this is
to consolidate the changes introduced since version 1.0, in particular the
large number of functions required to support MQTT v5, but that otherwise
closely match existing functions.

Support for TLS v1.0 has been dropped. Support for TLS v1.1 will be dropped in
version 2.0.

Changelog

The more detailed changelog is below, but does not include many of the
fixes and improvements that have been made:

The next test release of MQTT v5 support is available. This release includes
numerous bug fixes and feature changes, and also includes other features that
will be part of version 1.6 that are not related to MQTT v5.

Broker

Fix clients being disconnected when ACLs are in use. This only affects the
case where a client connects using a username, and the anonymous ACL list is
defined but specific user ACLs are not defined. Closes #1162.

Make error messages for missing config file clearer.

Fix some Coverity Scan reported errors that could occur when the broker was
already failing to start.

Build

Mosquitto 1.5.6 has been released to address three potential security vulnerabilities.

CVE-2018-12551

If Mosquitto is configured to use a password file for authentication, any
malformed data in the password file will be treated as valid. This typically
means that the malformed data becomes a username and no password. If this
occurs, clients can circumvent authentication and get access to the broker by
using the malformed username. In particular, a blank line will be treated as a
valid empty username. Other security measures are unaffected. Users who have
only used the mosquitto_passwd utility to create and modify their password
files are unaffected by this vulnerability. Affects version 1.0 to 1.5.5
inclusive.

CVE-2018-12550

If an ACL file is empty, or has only blank lines or comments, then mosquitto
treats the ACL file as not being defined, which means that no topic access is
denied. Although denying access to all topics is not a useful configuration,
this behaviour is unexpected and could lead to access being incorrectly granted
in some circumstances. Affects versions 1.0 to 1.5.5 inclusive.

CVE-2018-12546

If a client publishes a retained message to a topic that they have access to,
and then their access to that topic is revoked, the retained message will still
be delivered to future subscribers. This behaviour may be undesirable in some
applications, so a configuration option check_retain_source has been
introduced to enforce checking of the retained message source on publish.

Version 1.5.5 changes

Security

If per_listener_settings is set to true, then the acl_file setting was
ignored for the "default listener" only. This has been fixed. This does not
affect any listeners defined with the listener option. Closes #1073.
This is now tracked as CVE-2018-20145.

Broker

Add socket_domain option to allow listeners to disable IPv6 support.
This is required to work around a problem in libwebsockets that means
sockets only listen on IPv6 by default if IPv6 support is compiled in.
Closes #1004.

When using ADNS, don't ask for all network protocols when connecting,
because this can lead to confusing "Protocol not supported" errors if the
network is down. Closes #1062.

Fix outgoing retained messages not being sent by bridges on initial
connection. Closes #1040.

Don't reload auth_opt_ options on reload, to match the behaviour of the
other plugin options. Closes #1068.

Print message on error when installing/uninstalling as a Windows service.

Client

Build

Development of support for MQTT 5 is ongoing and making good progress, but has
been substantially delayed due to other non-Mosquitto work having to take
priority.

It is possible to test the current state of MQTT 5 support by using the mqtt5
branch of the repository. Please note that this is very much a work in
progress, so parts are incomplete and interfaces may yet change. The client
library in particular has had to have an increase in functions available in
order to provide the features needed whilst providing backwards compatibility.
Part of the plan for the 2.0 release, which will follow after 1.6, is to
consolidate the libmosquitto API with breaking changes. There are more details
on the roadmap.

Current features include:

Support for all incoming and outgoing packets, although not everything is
processed.

Support for sending and receiving all properties, with not all properties
processed.